Lucene search

[email protected]CVE-2023-37379

HistoryAug 23, 2023 - 4:15 p.m.

CVE-2023-37379

2023-08-2316:15:09

CWE-918

CWE-400

CWE-200

[email protected]

web.nvd.nist.gov

apache airflow

security vulnerability

cve-2023-37379

authentication

dos

connection edit

server management

upgrade

user permissions

attack surface

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.3%

JSON

Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.

Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.

Affected configurations

Vulners

NVD

Node

apacheairflowRange≤2.7.0

CPENameOperatorVersion
apache:airflowapache airflowlt2.7.0

CPE	Name	Operator	Version
apache:airflow	apache airflow	lt	2.7.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Airflow",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.7.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]